User Validation on MFA Level #3905

ericherscovich · 2023-07-05T20:17:39Z

Contributes to #3800

What problem are you solving?

MFA Level could be set without having any MFA device, such as not having a mfa_seed (-> totp_seed) set, nor webauthn credentials. Users could also have MFA disabled while still having devices. This could lead to data inconsistencies.

What approach did you choose and why?

Adds a validation on a user to ensure that mfa_level can only be set if there is a MFA device present and can only be disabled if there is no MFA device.

What should reviewers focus on?

The approach to validating that MFA level is set in the correct scenarios.

Testing

Can attempt to set MFA impromperly, for example by doing create(:user, mfa_level: :ui_and_api) and observing it fails validation.

⚠️ Pre-merging considerations ⚠️

We should validate if this is somehow present in production. Specifically, we should check if there exists any user that has mfa_level somehow set while not having any MFA devices. We should also check that there isn't any user that has mfa_level set to disabled, but has an MFA device present. It's possible that merging this would cause some funky behaviour for users if they somehow got into a weird state like this. I don't have the ability to check production in this way, so will have to defer to other maintainers to validate this before merging.

codecov · 2023-07-05T20:29:58Z

Codecov Report

Merging #3905 (c255e8b) into master (642b650) will increase coverage by 0.00%.
The diff coverage is 100.00%.

❗ Current head c255e8b differs from pull request most recent head 3486573. Consider uploading reports for the commit 3486573 to get more accurate results

@@           Coverage Diff           @@
##           master    #3905   +/-   ##
=======================================
  Coverage   98.79%   98.79%           
=======================================
  Files         217      217           
  Lines        5406     5414    +8     
=======================================
+ Hits         5341     5349    +8     
  Misses         65       65

Impacted Files	Coverage Δ
app/models/concerns/user_multifactor_methods.rb	`100.00% <100.00%> (ø)`

simi · 2023-07-05T22:27:34Z

@ericherscovich I did some initial checks.

Specifically, we should check if there exists any user that has mfa_level somehow set while not having any MFA devices.

User.where.not(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if u.webauthn_credentials.none?}
#=> 0 # yes, I was lazy to write JOIN logic in here

We should also check that there isn't any user that has mfa_level set to disabled, but has an MFA device present.

User.where(mfa_level: 'disabled').joins(:webauthn_credentials).count
#=> 0

ericherscovich · 2023-07-05T22:40:37Z

@ericherscovich I did some initial checks.

Specifically, we should check if there exists any user that has mfa_level somehow set while not having any MFA devices.
User.where.not(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if u.webauthn_credentials.none?}
#=> 0 # yes, I was lazy to write JOIN logic in here
We should also check that there isn't any user that has mfa_level set to disabled, but has an MFA device present.
User.where(mfa_level: 'disabled').joins(:webauthn_credentials).count
#=> 0

Thank you! Could you do a more generic check that would check for TOTP as well? You should be able to check something along the lines of

User.where.not(mfa_level: 'disabled') and check u.no_mfa_devices?
User.where(mfa_level: 'disabled') and u.!no_mfa_devices?

simi · 2023-07-05T23:04:31Z

@ericherscovich like this?

User.where.not(mfa_level: 'disabled') and check u.no_mfa_devices?

User.where.not(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if u.no_mfa_devices?}
=> 0

User.where(mfa_level: 'disabled') and u.!no_mfa_devices?

User.where(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if !u.no_mfa_devices?}
=> 0

ericherscovich · 2023-07-05T23:05:53Z

@ericherscovich like this?

User.where.not(mfa_level: 'disabled') and check u.no_mfa_devices?
User.where.not(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if u.no_mfa_devices?}
=> 0
User.where(mfa_level: 'disabled') and u.!no_mfa_devices?
User.where(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if !u.no_mfa_devices?}
=> 0

Yes that looks like what I was looking for! Thank you for doing this check :D

test/models/concerns/user_multifactor_methods_test.rb

segiddins · 2023-07-06T18:35:33Z

irb(main):002:0> User.where.not(mfa_level: 'disabled').find_each.count(&:no_mfa_devices?)
=> 0
irb(main):003:0> User.where(mfa_level: 'disabled').find_each.count { !_1.no_mfa_devices? }

=> 0

Remove comments Fix tests Fix test

simi approved these changes Jul 5, 2023

View reviewed changes

bettymakes reviewed Jul 6, 2023

View reviewed changes

test/models/concerns/user_multifactor_methods_test.rb Show resolved Hide resolved

bettymakes reviewed Jul 6, 2023

View reviewed changes

test/models/concerns/user_multifactor_methods_test.rb Show resolved Hide resolved

bettymakes reviewed Jul 6, 2023

View reviewed changes

test/models/concerns/user_multifactor_methods_test.rb Show resolved Hide resolved

bettymakes mentioned this pull request Jul 10, 2023

Add MFA level validation #3870

Closed

jenshenny approved these changes Jul 10, 2023

View reviewed changes

Add validation for mfa level

b0d3b83

ericherscovich force-pushed the eric/mfa-level-validation branch from 240db75 to 38e97d9 Compare July 11, 2023 20:11

Update impromper tests, add traits to user factory

3486573

Remove comments Fix tests Fix test

ericherscovich force-pushed the eric/mfa-level-validation branch from c255e8b to 3486573 Compare July 11, 2023 20:29

jenshenny merged commit ffe6b45 into rubygems:master Jul 12, 2023

rubygems-org-shipit bot temporarily deployed to staging July 12, 2023 13:28 Inactive

rubygems-org-shipit bot temporarily deployed to production July 12, 2023 21:40 Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

User Validation on MFA Level #3905

User Validation on MFA Level #3905

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

User Validation on MFA Level #3905

User Validation on MFA Level #3905

Uh oh!

Conversation

What problem are you solving?

What approach did you choose and why?

What should reviewers focus on?

Testing

⚠️ Pre-merging considerations ⚠️

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants